PostgreSQL Releases Security Update for Multiple Vulnerabilities

On November 13, 2024, the PostgreSQL Global Development Group released a critical security update for all supported versions of PostgreSQL. The update applies to PostgreSQL versions 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21. It addresses four security vulnerabilities and fixes over 35 bugs.

Security Vulnerabilities

CVE-2024-10976: Row Security Vulnerability
This vulnerability impacts PostgreSQL versions 12 through 17, with a CVSS v3.1 base score of 4.2. It allows reused queries to potentially view or modify unintended rows due to incomplete tracking of tables with row security.

CVE-2024-10977: libpq Error Message Retention
Affecting versions 12 to 17, this vulnerability has a CVSS v3.1 base score of 3.1. It allows a malicious server to send arbitrary (non-NUL) bytes to libpq applications, which could be misinterpreted as valid query results.

CVE-2024-10978: User ID Reset Issue
This vulnerability, with a CVSS v3.1 base score of 4.2, affects versions 12 to 17. It can lead to incorrect privilege assignments when using the SET ROLE or SET SESSION AUTHORIZATION commands, potentially granting less privileged users access to unauthorized data.

CVE-2024-10979: PL/Perl Environment Variable Vulnerability
This critical vulnerability impacts versions 12 through 17, with a CVSS v3.1 base score of 8.8. It allows unprivileged users to modify sensitive database environment variables, potentially enabling arbitrary code execution.

Bug Fixes and Updates

The update also addresses over 35 bugs, including:

• Issues with partition attachment and detachment with foreign key constraints
• Problems with collation providers
• Improvements to the query planner
• Race conditions in transaction commits
• JIT crashes on ARM systems

Additionally, the update includes time zone data updates to tzdata 2024b, affecting system-V-compatible zone names and historical corrections for several countries.

Installation Recommendations

Users can apply the update by shutting down PostgreSQL and updating its binaries. However, some scenarios require additional steps:

• For partitioned tables with foreign key constraints affected by ATTACH/DETACH PARTITION commands, manual constraint adjustments may be necessary.
• PostgreSQL 17.0 users with certain locale settings should rebuild text-based indexes using the REINDEX INDEX CONCURRENTLY command.

Advice for Users

Users running PostgreSQL 12 in production environments are strongly advised to upgrade to a newer, supported version as PostgreSQL 12 has reached its end of life. Promptly applying this update is essential to maintaining security and ensuring continued bug fixes.

This comprehensive security update emphasizes the PostgreSQL Global Development Group’s commitment to keeping the database management system secure and reliable. Users should apply the update as soon as possible and review the release notes for detailed upgrade instructions.